Subversion a security risk?
Subversion allows users to keep track of changes made to source code. It’s very handy and many developers use it everyday, like me.
Some websites have a svn checkout in their public web folder to make faster updates if code change.
Letting the cat out of the bag right now: If the webserver has directory listening on, it’s easy to spy parts of your website.
If you take a closer look to the structure of Subversion you will notice that Subversion creates on every folder a subfolder called “.svn” with some files.
A example is a webshop which uses Subversion on the web server.
The start site of the webshop
After adding a “.svn/” in the URL, you see the svn structure.
The subfolder “text-base” shows us which files are in the folder
we can view the configuration file …
.. and the database dump
Sure this was fictitious, but we saw that it was easy to look at the structure of the site and view the files on the server with an webbrowser, we didn’t know before.
Take care of your production site if you have running a Subversion checkout on it!
If you’re running apache, you can deny an svn listing via the domain’s configuration files (or your .htaccess file if your server is configured such):
Deny from all
and, because you may not be able to see that in the previous comment:
<Directory ~ “^\.svn”>
Deny from all
</Directory>
Good point, thanks for your comment.
“^.svn” will only match directly underneath DocumentRoot. Here is my take at it: “(^|/)\.svn(/|$)”. I.e. this matches any of
.svn
.svn/something
something/.svn
something/.svn/something